NIST CSF

If you are just getting started, I recommend just reading it since it's only 32 pages long.
From the Introduction to Appendix A is 15 pages; it's not that much.

What is it?

  1. The CSF provides a high-level overview of cybersecurity concepts and outlines six Core functions to achieve risk management outcomes: Govern, Identify, Protect, Detect, Respond, and Recover.
  2. The CSF is not prescriptive, and is intended to be used with other frameworks and resources
    2. Its goal is to help organizations identify and assess, prioritize, and communicate cyber risks
    1. Identify and assess
    1. Describe the security posture of the organization
    2. Determine gaps and progress towards addressing gaps
    2. Prioritize
    1. Prioritize and action against cybersecurity risks in alignment with an organization's mission and governance expectations, and regulatory and legal requirements
    3. Communicate
    1. Provide a common language for high-level cybersecurity risk management

CSF Overview

  1. CSF is composed of three components:
    1. CSF Core
      1. Uses 6 functions to identify cybersecurity risk outcomes
      2. Intended to be understandable by executives, managers, and practitioners alike
    2. CSF Organizational Profiles
      1. Mechanisms for building an organization's profile that maps to the Core
      2. Can be used to understand current security posture or a desired target posture.
    3. CSF Tiers
      1. A method of characterizing the cybersecurity "rigor" of an organizational profile
      2. Range from Tier 1[1] (lowest) to Tier 4[2] (highest)
  2. Additional resources on the NIST CSF website:
    1. Informative References
      1. Real-world outcomes
    2. Implementation Examples
      1. Examples on how certain outcomes can be achieved
    3. Quick-Start Guides
      1. "A supplementary resource that gives brief, actionable guidance on specific CSF-related topics."
    4. Community Profiles and Organizational Profile Templates
  3. Working with cybersecurity risks
    1. The goals of the

The Core Functions

I found a neat GIF on LinkedIn summarizing the Core Functions and was going to link it here, but the constant animation constantly grabbed my attention and I had to get rid of it.

  1. There are six core Functions in the CSF:
    1. Govern
      1. The newest and most core of core functions
        1. It's critical to integrating the other Functions into an organization
      2. Built with new and reorganized categories from the other functions
        3. When using the CSF 2.0 Reference Tool, you will see "Withdrawn" categories and subcategories that now match to Governance
      3. Governance "informs how an organization will implement the other five Functions."
    2. Identify
      1. Identify and understand the cybersecurity risks for your organization
    3. Protect
      1. Safeguards to manage risk.
    4. Detect
      1. How the organization detects and analyzes attacks and breaches.
    5. Respond
      1. Incident response and mitigation
    6. Recover
      1. Restoring operation to impacted systems
  2. Each core function is composed of categories and subcategories
    1. Categories and subcategories use shorthand identifiers
      1. Function.Category-Subcategory
        1. e.g., "GV.OV-01" would be Governance Oversight, subcategory 01

CSF Organizational Profiles

More coming...

CSF Tiers

More coming...

  1. Contains a full list of functions, categories, and subcategories
    1. Also lists one or more Implementation examples per subcategory
    2. Items that were changed between CSF 1.1 and 2.0 are highlighted and detailed
  2. Allows you to easily search, filter, and export functions and categories
    1. Can export as JSON or .xlsx file
      1. Excel Spreadsheet output is configured as a sortable table

Resources

Official

Supplemental

  1. Partial implementation or limited awareness of risk. ↩︎

  2. Highly integrated into the organization or highly adaptive to cybersecurity risks. ↩︎